Ruby on Rails Web Application Security

Transcript

1. Web Application Security with a focus on Ruby on Rails

   Ivan Storck @ivanoats http://linkedin.com/in/ivanoats Friday, July 19, 13

2. Why Me? • You have a web site • You

   have email addresses and access to SMTP server • You have usernames and passwords • You have credit card data • You're an activist or minority, or majority, left wing or right • You really DO have something to hide Friday, July 19, 13

3. Non-technical Exploits http://xkcd.com/538/ Friday, July 19, 13

4. Social Engineering • Manipulation • (Spear) Phishing • Urgent Phone

   calls • USB Flash drives ( can I just print my resume? ) • Quid pro quo ( Hi, this is mike from tech support ) Friday, July 19, 13

5. Social Engineering • great read • learn from a master

   hacker and storyteller Friday, July 19, 13

6. More non-technical exploits • break your security model "because it's

   easier" • Don't send passwords via email (unless you use email encryption) • Use the same password for different services • keep unencrypted customer data on your laptop Friday, July 19, 13

7. OWASP Top 10 • Open Web Application Security Project -

   Yearly ranking of vulnerabilities for 2013 • A1 Injection • A2 Broken Authentication and Session Management • A3 Cross-Site Scripting (XSS) • A4 Insecure Direct Object References • A5 Security Misconfiguration • A6 Sensitive Data Exposure • A7 Missing Function Level Access Control • A8 Cross-Site Request Forgery (CSRF) • A9 Using Components with Known Vulnerabilities • A10 Unvalidated Redirects and Forwards Friday, July 19, 13

8. OWASP Rails Cheat Sheet • https://www.owasp.org/index.php/Ruby_on_Rails_Cheatsheet • Let's take a

   look at this in detail... after these messages... Friday, July 19, 13

9. SQL Injection - Off the Rails http://xkcd.com/327/ User.where("name like '%#{params[:name]}%')

   Friday, July 19, 13

10. SQL Injection - Back on the Rails User.where("name like ?",

    "%#{params[:name]}%") This is called Parameter Escaping (and it is GOOD) Detailed info: http://rails-sqli.org/ http://railscasts.com/episodes/25-sql-injection Friday, July 19, 13

11. XSS - Cross Site Scripting • you can do pretty

    much anything if you let users get javascript on to the page • Rails by default protects you • But there are many cases where you can bypass it (legitimately) <%= raw @product.name %> <%= @product.name.html_safe %> <%= content_tag @product.name %> WARNING Friday, July 19, 13

12. XSS - Mitigation • Consider markup language like Markdown or

    Textile and disallow HTML tags. • use the #sanitize method BETTER <%= sanitize @article.body %> <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %> Friday, July 19, 13

13. Practice: Fix Ivan The Terrible's Blog • Start with the

    "insecure" branch • Use the SQL / search query below to test SQL Injection • Play with XSS by inserting JavaScript into the post and see what chaos you can make! foo%'); INSERT INTO posts (id,title,body,created_at,updated_at) VALUES (99,'hacked','hacked alright','2013-07-18','2013-07-18'); SELECT "posts".* FROM "posts" WHERE (title like '%anything Friday, July 19, 13